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THE PART n, PROOF OF CONCEPT, PHASE HAS BEEN SUCCESSFL LL\ 
COMPLETED. 


ENCLOSED FN THIS REPORT .ARE THE FOLLOWING ATTACHMENTS 

1) GLTDELINES AND ASSLTVIPTIONS 

2) SL2V1MARY/CONCLUSIONS 

) FF-DAREL WORKSFEETS WITH SETPORTING ENCLOSLUES 

- GDS SCFEMATIC 

- FLT4CTIONAL BLOCK DIAGRAM . 

- GDS MECHANICAL/ELECTRIC.AL I/F 

- BLOCK FUNCTIONS TABLE 

- FUNCTIONAL FAILLHES TABLE 

- ACTIVE COMPONENTS IN FL'NCTION.AL BLOCKS 
4) MMNT.AIN.ABEITY AND RELIABEITY CONSIDERATIONS IN HE.ALTH 

MAN AGEMENT 
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1. GLIDELLNES/ASSUMPTIONS 

* Evaluate/.Analyze only the Gas Distribution Subsystem (GDS) 

* Focus H\1 activities on the FF-DAREL Process 

* Use the PDR Configuration (per COTR instruction) 

(.All are aware that this configuration has change considerably since PDR) 

* Develop HM Requirements from all available data on all subsystems (This is more 
mature information than would normally be available for use in defining requirements) 

Make assumptions, as necessary to complete this effort 

* If a "Component" fails in our analysis, we do not concern ourselves as to how it fails, 
except to the extent of^ the "Resulting Effects' 



2. SUMMARY/CONCLUSIONS 


The Gas Distnbution Subsystem was studied and evaluated utilizing the PDR 
ConfiEuration and with respect to the design features encompassing Health Management (HM) 
aspects outlined in the Generic Handbook (specifically the FF-DAREL Process) This HM effort 
addresses ec|uipment and failures at a higher level than FMEA efforts and results in less 
worksheets, and focuses results toward "Test" and "Operations" issues 

We were only able to conduct limited discussions with the skilled designers who are 
extremely knowledgeable of the GDS This limitation has probably resulted in somewhat shallow 
analysis, but, the major subjects have been addressed and evaluated 

The GDS is largely a self contained subsystem, and is largely simplex, but some 
redundancy is included in the design and its functions have been identified and its use in HM have 
been analyzed The lack of needed, or possibly desired, redundancy is also identified and its 
impact is assessed A significant lack of "two fault tolerant Functional Failure" cases (component 
and paths) are identified and a recommendation for simple inclusion of redundancy is being 
discussed with the Detail Designer The details of the approach could be pursued, if desired, bv 
the Detail Design Engineer A significant amount of manual operations to perform "Corrective 
.Action" has been identified (even operational procedures) This condition often precludes 
utilizing software to isolate and recover from Functional Failures. 

The software is not yet mature and detail was not available to us to insure whether or not 
Paragraph 3 1 2 6 3 1 in the SAV Requirement Specification, Level III (The SA-V shall be capable 
of detecting, isolating, and responding to faults within the GDS) is being met Our conclusion is 
that the PDR GDS configuration will not allow this requirement to be accommodated in manv 
instances (identified in the FF-DAREL Worksheets) .Accommodating this requirement is a 
significant effort, but is vital to our HM Concept and would be documented in the ISIRL tor each 
Functional Failure and for use in Test and Operations Note The SA\' requirement is also stated 
in the "Core System Requirement Document", Para j 3 7 

The results of this study have shown a definite need for coordinating need for 
measurements within, and between, subsystems to accommodate insuring that Functional Failures 
are properly revealed and can be substantiated as valid by other measurements, even from other 
interfacing subsystems 



We were not able to perform a major goal of our Concept involving "Developing an 
additional level of Information by defining Intersystem Informational Relationships" This was 
because the Experiment Module (EM) and ICE are the only electrical interfaces to the GDS The 
EM (specifically, the Crystal Growth Module) has just within the past few days identified a 
sigmficant number of measurements for that system. This will allow some additional HM 
considerations and evaluations, but time was not available to perform this task. The ICE Interface 
is more mature, but was not addressed because of guidelines and time constraints on this effort 
These efforts can be readily accomplished with additional time to perform the assessments 

We have concluded that the HM aspects in our Concept could nave been significantly 
enhanced in the GDS design had the Concept been in place at the stan of the Initial Design Phase 
of the Project However, w e feel that this Part II, Proof of Concept Phase, has been very 
successful and has accomplished its purpose and indicates very useful types of information which 
can be gleaned and evaluated from the current design and useful to the Project and Project 
Manager in upcoming Reviews and throughout the SSFF Development/Operational Phase 
















3. FF-WORKSHEETS WITH SUPPORTING ENCLOSURES 


FUNCTIONAL BLOCK DIAGRAM 



; CDS MECHANICAL I F 

CDS ELECTRICAL LT i 


il - IR'. 
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BLOCK FUNCTIONS TABLE 


1 GAS SUPPLY MODULE 

a Supplies inert gas to Core Rack gas control module when manual valve is open 
b Provides safety over pressure device (BDl) 
c Provides manual pressure readout at all times 

2 CORE RACK GAS CONTROL MODLT.E 

a Provides control (manual valve) and filtering of GN2 from SSLNS to TECS 
b Provides filtering pressure regulation and control (SV) of lN 2 to IR (Left &. Riaht ) yas 
supply assemblies 

c Provides filtering, pressure regulaton and control (SV) of (AR) to IR (Left & Right ) tias 
supply assemblies 

d Provide over pressure safety devices (BD2.BD3) 

3 GAS SUPPLY ASSEMBLY (2 EACH, 1 OF WHICH HAS 2 SEP.'\IUA.TE,DU.AL 
FUNCTIONS) 

a. Provides source gas (AR or LN2) selection 
b Provides (Selected) gas control (SV) to EM 

c Provide blocking of EM gasses which might travel backward to GDS (C\0 

4 PRESSUHE CONTROL ASSEMBLY (3 EACH. 1 FOR EACH EM) 
a Provides control (SV) of EM gasses to accumulator (for use when SS \'acuum Exhaust 
System is not available) 

\'ACUUM VTNT ASSEMBLY (2 EACH, 1 OF WHICH SERVES 2 EM'S) 
a Provides particle filtering 

b Provides pressure relief (RV) [2 relief (redundant) valves for each EM] 

— To V'^acuum Exhaust System 

c Provides Control (2 series SV & MV & DCV) of exhaust gasses to VES 
d Provides Control (SV &MV) drainage of accumulator to VLS 
e Provides Selection of VRS or VTS to downstream (outlet side) of EM 
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FUNCTIONAL FAILURES 

1 GAS SLTPLY MODULE 

a Fails to supply inert gas to core rack gas control 
b Fails to stop supplying inert gas to core rack 
c Failure to provide over pressure relief 
d Manual pressure gage fails to provide readout 

2 CORE RACK GAS CONTROL MODLT.E 
a Fails to provide control and filtered LN2 to TECS 
b LN2 to IR (Left and/or Right) gas supply assemblies 

- Fails to filter 

- Fails to provide proper regulation 

- Fails to supply 

c .AR to IR (Left and/or Right) gas supply assemblies 

- Fails to filter 

- Fails to provide proper regulation 

- Fails to supply 

d Fails to provide over pressure relief 
GAS SUPPLY ASSEMBLY 

a DCV 1, 3 or 5 fails to allow selection of source gas 
b SV3. 7 OR 1 1 fails to control (On/Off) gas flow to EM 
c CVl, 2 OR 3 fails to block EM gasses backflow into GDS 

4 PRESSURE CONTROL ASSEMBLY 

Fails to vent EM gasses to accumulator when commanded 

' \ ACLLM VENT ASSENfBLY 

a Fails to provide particle filtering 

b Fails to provide EM pressure relief to VES (Redundant ) 

Fails to provide EM pressure relief to VES (Redundant) 
c S\'4. 8, 12 fails to vent EM exhaust gasses to \'ES when commanded 
d S\'5, 10. 14 and MV4, 5 & 6 fails to provide drainage of accumulator to VTS when 
commanded 

e DC\’2, 4. 6 fails to select VUS or VES to down stream EM when commanded 
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ACTIVE COMPONENTS IN FUNCTIONAL BLOCKS 


GAS SLTPLY MODULE 

- Pressure Vessel 

PVl 

- Pressure Gauge 

PGl 

- Safety Device 

BDl 

- Manual Valve 

MVl 

- Quick Disconnect 

QDl 

CORE R.ACK GAS CONTROL MODLXE 

For LN2 

- Quick Disconnect 

QD4 

- Manual Valve 

MV2 

- Filter ( OlMic) 

F2 

- Manual Valve 

MV3 

- Pressure Regulator ( 1 Stage) 

PR2 

- Pressure Transducer 

PT3 

- Solenoid Valve 

SV2 

- Burst Disc 

BD3 

- Vent Filter 

VF2 

- Quick Disconnect 

QD5 

- Quick Disconnect 

QD6 

For Inert ( .AR) Gas 

- Filter! 01 Mic) 

F! 

- Pressure Transducer 

PTl 

- Pressure Regulater 

PRl 

- Pressure Transducer 

PT2 

- Solenoid Valve 

SVI 

- Burst Disc 

BD2 

- \'ent Filler 

VFl 

- Quick Disconnect 

QD2 

- Quick Disconnect 

QD3 
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Ill GAS SUPPLY ASSEMBLY (RIGHT IR) 


- Quick Disconnect (*AR) 

QDll 

- Quick Disconnect (LN2) 

QD12 

- Directional Control Valve 

DCV5 

- Solenoid Valve 

SVll 

- Check Valve 

CV3 

- Experiment Module 

EM(R-IR) 

PRESSLTIE CONTROL ASSEMBLY (RIGHT IR) 

- Pressure Transducer 

PT8 

- Vacuum Sensor 

VS3 

- Solenoid Valve 

SV13 

- Pressure Transducer 

PT9 

- Accumulator 

ACC 3 

VACLTjM vent assembly (RIGHT IR) 

- Relief Valve 

RV5 

- Relief Valve 

RV6 

- Filter ( OlMic) 

F5 

- Solenoid Valve 

SV12 

- Solenoid Valve 

SV14 

- Manual Valve 

MV6 

- Directional Control Valve 

DCV6 

- Quick Disconnect (VUS) 

QD13 

- Quick Disconnect (VBS) 

QD14 
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VI GAS SLTPLY ASSEMBLY (LEFT IR) 

- Quick Disconnect (AR) 

QD7 

- Quick Disconnect (GN2) 

QD8 

For EM-1 

- Directional Control Valve 

DC VI 

- Solenoid Valve 

SV3 

- Check Valve 

CVl 

- Expenment Module 

EM-1 

For EM-2 

- Directional Control Valve 

DCV3 

- Solenoid Valve 

SV7 

- Check Valve 

CV2 

- Experiment Module 

EM-2 

VTI PRESSURE CONTROL ASSEMBLY (LEFT IR) 

For EM-1 

- Pressure Transducer 

PT4 

- Vacuum Sensor 

VSl 

- Solenoid V'alve 

SV5 

- Pressure Transducer 

PT5 

- Accumulator 

ACCl 

For EM-2 

-Pressure Transducer 

PT6 

- Vacuum Sensor 

VS2 

- Solenoid Valve 

SV9 

- Pressure Transducer 

PT7 

- Accumulator 

ACC2 
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VIII vacuum vent assembly (LEFT IR) 


Quick Disconnect (VRS) 

QD9 

Quick Disconnect (\US) 

QDIO 

For EM-1 

Relief Valve 

RVl 

Relief Valve 

RV2 

Filter ( OlMic) 

F3 

Solenoid Vaive 

SV4 

Solenoid Valve 

SV6 

Manual Valve 

MV4 

Directional Control Valve 

DCV2 


For EM-2 


Relief Valve 

RV3 

Relief Valve 

RV4 

Filter ( OlMic) 

F4 

Solenoid Valve 

SV8 

Solenoid Valve 

SVIO 

Manual Valve 

MVS 

Directional Control Valve 

DCV4 



4. MAINTAINABILITY AND RELIABILITY CONSIDERATIONS 
IN HEALTH MANAGEMENT 


4.1 INTRODUCTION 

The Space Station Furnace Facility (SSFF) is a modular facility which will provide the 
platform for materials research in the microgravity environment The facility is designed to 
accommodate Experiment Modules (EM) which house an experiment The facility will provide 
the function of interfacing the EM to ISSA ser/ices, conditioning and control for the experiment 
module use. providing the controlled services to the experiment modules, and interfacing to and 
acquiring data from the experiment modules 

The SSFF has several subsystems which provide the above mentioned functions The 
Subsystems are Electrical Power Subsystem (EPS), Command and Data Management Subsystem 
(CDMS), Gas Distribution Subsystem (GDS), Thermal and Environmental Control Subsystem 
(TECS), and the Instrumentation and Control Electronics (ICE) Subsystem 

4.2 HEALTH MANAGEMENT INTRODUCTION 

The facility is designed, constructed, tested to determine to be in an operable state, and lifted 
into space Once in orbit, the SSFF is available to be placed on-line and to accept EM s in order 
to perform experiments The EMs are to be removed and replaced as required and remain in 
operation for 2880 hours This means that the SSFF is a mission oriented system .\nalysis will 
determine whether the system is to be a repairable or non-repairable system 

4.3 SYSTEM LEVEL HEALTH MANAGEMENT ANALYSIS 

For the SSFF to accomplish its intended purpose, it must operate without failure for 2880 
hours Since reality states that perfection is impossible, trade-offs must be made so that the 
mission can be accomplished in a cost effective manner The intent is to minimize the cost and 
successfully accomplish the intended mission For example, say that the cost of an EM plus the 
cost of liftins the EM into orbit is $600,000 00 and each EM can be used only once Table 1 
shows an assumed relationship between Cost and P(MS) Assume that the allowable budget is 
S2 4 million This means that the P(MS) must be 0 97 m order to meet budget in order to ha\ e a 
guaranteed successful mission But, trade studies reveals that it is possible to build a system that 
meets a P(MS) or reliability of 0 94; however, that it is very costly to build an SSFF that meets a 
reliability of 0 97 Thus engineering must perform some trade-offs in order that a successful 
mission can be performed as well as to be within cost 


13 



It is known that the SSFF is composed of five subsystems A network model of the 
subsystems is a series system This means that all of the subsystems must work for the system to 
be a success If one subsystem fails, then the system fails Figure 1 shows the network model 
Equation 1 is the mathematical expression that represents the network model 


P(MS) 

cost to achieve 
success (worst 
case) 

0 99 

1,2 

0 98 

18 

0 97 

2 4 

0 96 

3 0 

0 95 

3 6 

0.94 

4 2 

T.ABLE 

1 COST Vs P(MS) 


P(MS) = P(EPS) * P(TECS) * P(CDMS) * P(ICE) * P(GDS) ( 1 ) 

Where P(MS) is the probability of mission success 

P(EPS) is the probability that the EPS does not fail 
P(TECS) is the probability that the TECS does not fail 
P(CDMS) is the probability that the CDMS does not fail 
PflCE) is the probability that the ICE does not fail 
P(GDS) is the probability that the GDS does not fail 
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NETWORKIVDDEL 

for the 

SSFF 



Figure 1 Network Model of the SSFF 

First some approximate values of the probability of mission success will be selected From 
Table 1, a value for P(MS) of 0 94 seems to be a practical selection for a beginning analysis 
Since a P(MS) has been selected, the determination of test criteria can be investigated 


P(MS) 

(PROBABILm' OF 
MISSION SUCCESS) 

P(SS) 

(PROB.\BILm' OF 
SUBSYSTEM SUCCESS) 

0.99 

0.99799 

0 98 

099596 

0.97 

0 99393 

0 96 

0 99187 

0 95 

098979 

0 94 

0 98770 


Table 2, Trial P(MS) 


Consider the SSFF as a single component system having a time-to-failure that is exponentiallv 
distributed Evaluate analvlically and by simulation the model using a P(MS) ofO 94 for a period 
of 2880 hours Equation 2 is used to determine a trial failure rate for the SSFF 


P(\fS) - expf-i/) (2) 
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0 94 = exp * 2880) 


X = Ln (0 94)/2880 

A = 0 2148/10 exp 6 f per hr (3) 

Equation 3 is the failure rate at which the SSFF must operate in order to provide the P(MS) of 
0 94 This failure rate must be distributed over the five subsystems From Equation 1 0, 
assuming that all subsystem failure rates are equal, the P(MS) equals to 0 9877 

This means that the failure rate for each subsystem is, 

'a = 4.297/10 exp 6 f per hr (4) 

Hence, the next step is to perform some trade studies to determine the availability of component 
parts with the required failure rates, cost, and lead time for the procurement of these parts From 
experience, the availability of component that possess the required failure rates and meets cost 
constraints is not cost effective Trade off s will have to be made 

For this example, the GDS is selected When perusing the SSFF Maintainability .\nalysis. a 
component in GDS was found that had a high failure rate of 21 9 failures for every million hours 
When evaluating the P(MS) of the subsystem and entire SSFF, this high failure rate component 
was found to be a series element in the network model The P(MS) of this component is 0 Q3SQ 
This figure is lower than the system P(MS) 

In Section 2 above, it was stated that the determination of the system type as to a repairable 
or non-repairable system would be made From the results of the trade studies mentioned in the 
previous paragraph, the system must be a repairable system in order to meet the P(MS) of 0 94 
By using maintainability, the system P(MS) can be raised in a very cost effective manner It is 
universallv agreed that component parts with lower and lower failure rates are expensive and a 
high man-hour requirement for maintenance is also very expensive Again a trade study is needed 
to determine a cost effective balance Let's say that the trade study revealed that no science will 
be lost if this high failure part can be replaced and the system returned to operation within 30 
minutes This decision will accomplish two things, the P(MS) of the system will be increased and 
the cost will be reduced Secondly, by managing the failure rate of the component, the 
requirement for low failure components is reduced 

Let’s investigate the test requirements for this maintenance action From Equation 5. the 
relative uncertainty can be calculated From this analysis, test criteria will be selected It is gi\ en 
that the average time to repair the part or MTTR is 30 minutes Assume a standard deviations of 
lor 3 minutes How many trial runs are needed to yield certainty of success Using Equation 5. 

Table 2 w as constructed The Table shows that as the number of trials increase the degree of 
uncenainty decreases .Also as the standard deviation decreases or narrows, the number of 
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required trials increases for a desired level of certainty From Table 2, the selection of a certainty 
is selected with a standard deviation of one The reason for the selection is for a fewer number of 
trials the higher degree of certainty is achieved 


R 


un 



(5) 


Where = Relative Uncertainty of the Trial Test 
S = Standard Deviation 

X = Average or Mean Value 
n = Number of Trials Required 


n 

S 

X 

U 

n c 

c 

1 

3 

3 0 

0 

1 

0 

9 0 

4 

3 

3 0 

0 

0 5 

0 

9 5 

2 

5 


3 0 

0 

. 0 2 

0 

9 8 

J 

6 

3 

3 0 

0 

0 16 

0 

9 8 3 

1 

1 

3 0 

0 

0 3 3 

0 

9 7 

4 

1 

3 0 

0 

0 1 7 

0 

9 8 

2 

5 

1 

3 0 

0 

0 0 7 

0 

9 9 


6 

1 

3 0 

0 

0 0 6 

0 

9 9 


Table 2, Relationship between Number of Test Trials Vs Degree of Certainty 
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4.4 REQUIREMENTS 


The HM requirements of the GDS can be stated 

The failure rate of the following systems shall be no greater than 4 297 failures in one 
million hours 

1 EPS 

2 TECS 

3 ICE 

4 CDMS 

The GDS shall have a mean time to repair (MTTR) of 30 minutes with a standard deviation of 3 
minutes 

Test requirements shall be that sufficient trials be conducted so that a 98% degree of certainty is 
achieved The number of tnals shall not be less than 25 The success criteria shall be that 98°b of 
the trials result in the replacement of the single component and the SSFF returned to service in 
less than or equal 30 minutes 
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